OpenVPN
test_pkt.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <stdarg.h>
33 #include <string.h>
34 #include <setjmp.h>
35 #include <cmocka.h>
36 #include "test_common.h"
37 
38 #include "crypto.h"
39 #include "options.h"
40 #include "ssl_backend.h"
41 #include "ssl_pkt.h"
42 #include "tls_crypt.h"
43 
44 #include "mss.h"
45 #include "reliable.h"
46 
47 int
48 parse_line(const char *line, char **p, const int n, const char *file,
49  const int line_num, int msglevel, struct gc_arena *gc)
50 {
51  /* Dummy function to get the linker happy, should never be called */
52  assert_true(false);
53  return 0;
54 }
55 
56 /* Define this function here as dummy since including the ssl_*.c files
57  * leads to having to include even more unrelated code */
58 bool
60  const char *label, size_t label_size,
61  void *ekm, size_t ekm_size)
62 {
63  ASSERT(0);
64 }
65 
66 const char *
68 {
69  return "dummy print_link_socket_actual from unit test";
70 }
71 
72 const char static_key[] = "<tls-auth>\n"
73  "-----BEGIN OpenVPN Static key V1-----\n"
74  "37268ea8f95d7f71f9fb8fc03770c460\n"
75  "daf714a483d815c013ce0a537efc18f2\n"
76  "8f4f172669d9e6a413bac6741d8ea054\n"
77  "00f49b7fd6326470f23798c606bf53d4\n"
78  "de63ebc64ec59d57ce5d04d5b62e68b5\n"
79  "3ca6e5354351097fa370446c4d269f18\n"
80  "7bb6ae54af2dc70ff7317fe2f8754b82\n"
81  "82aad4202f9fa42c8640245d883e2c54\n"
82  "a0c1c489a036cf3a8964d8d289c1583b\n"
83  "9447c262b1da5fd167a5d27bd5ac5143\n"
84  "17bc2343a31a2efc38dd920d910375f5\n"
85  "1c2e27f3afd36c49269da079f7ce466e\n"
86  "bb0f9ad13e9bbb4665974e6bc24b513c\n"
87  "5700393bf4a3e7f967e2f384069ac8a8\n"
88  "e78b18b15604993fd16515cce9c0f3e4\n"
89  "2b4126b999005ade802797b0eeb8b9e6\n"
90  "-----END OpenVPN Static key V1-----\n"
91  "</tls-auth>\n";
92 
93 const uint8_t client_reset_v2_none[] =
94 { 0x38, 0x68, 0x91, 0x92, 0x3f, 0xa3, 0x10, 0x34,
95  0x37, 0x00, 0x00, 0x00, 0x00, 0x00 };
96 
97 const uint8_t client_reset_v2_tls_auth[] =
98 { 0x38, 0xde, 0x69, 0x4c, 0x5c, 0x7b, 0xfb, 0xa2,
99  0x74, 0x93, 0x53, 0x7c, 0x1d, 0xed, 0x4e, 0x78,
100  0x15, 0x29, 0xae, 0x7c, 0xfe, 0x4b, 0x8c, 0x6d,
101  0x6b, 0x2b, 0x51, 0xf0, 0x5a, 0x00, 0x00, 0x00,
102  0x01, 0x61, 0xd3, 0xbf, 0x6c, 0x00, 0x00, 0x00,
103  0x00, 0x00};
104 
105 const uint8_t client_reset_v2_tls_crypt[] =
106 {0x38, 0xf4, 0x19, 0xcb, 0x12, 0xd1, 0xf9, 0xe4,
107  0x8f, 0x00, 0x00, 0x00, 0x01, 0x61, 0xd3, 0xf8,
108  0xe1, 0x33, 0x02, 0x06, 0xf5, 0x68, 0x02, 0xbe,
109  0x44, 0xfb, 0xed, 0x90, 0x50, 0x64, 0xe3, 0xdb,
110  0x43, 0x41, 0x6b, 0xec, 0x5e, 0x52, 0x67, 0x19,
111  0x46, 0x2b, 0x7e, 0xb9, 0x0c, 0x96, 0xde, 0xfc,
112  0x9b, 0x05, 0xc4, 0x48, 0x79, 0xf7};
113 
114 /* Valid tls-auth client CONTROL_V1 packet with random server id */
115 const uint8_t client_ack_tls_auth_randomid[] = {
116  0x20, 0x14, 0x01, 0x4e, 0xbc, 0x80, 0xc6, 0x14,
117  0x2b, 0x7b, 0xc8, 0x76, 0xfb, 0xc5, 0x2e, 0x27,
118  0xb1, 0xc5, 0x07, 0x35, 0x5b, 0xb6, 0x00, 0x6b,
119  0xae, 0x71, 0xba, 0x4e, 0x38, 0x00, 0x00, 0x00,
120  0x03, 0x61, 0xd3, 0xff, 0x53, 0x00, 0x00, 0x00,
121  0x00, 0x01, 0x16, 0x03, 0x01, 0x01, 0x0c, 0x01,
122  0x00, 0x01, 0x08, 0x03, 0x03, 0x8c, 0xaa, 0xac,
123  0x3a, 0x1a, 0x07, 0xbd, 0xe7, 0xb7, 0x50, 0x06,
124  0x9b, 0x94, 0x0c, 0x34, 0x4b, 0x5a, 0x35, 0xca,
125  0xc4, 0x79, 0xbd, 0xc9, 0x09, 0xb0, 0x7b, 0xd9,
126  0xee, 0xbb, 0x7d, 0xe7, 0x25, 0x20, 0x39, 0x38,
127  0xe2, 0x18, 0x33, 0x36, 0x14, 0x9f, 0x34, 0xf0,
128  0x44, 0x59, 0x96, 0x8d, 0x0e, 0xd2, 0x47, 0x76,
129  0x64, 0x88, 0x59, 0xe9, 0x38, 0x03, 0x97, 0x96,
130  0x98, 0x45, 0xfb, 0xf5, 0xff, 0x23, 0x00, 0x32,
131  0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x2c,
132  0xc0, 0x30, 0x00, 0x9f, 0xcc, 0xa9, 0xcc, 0xa8,
133  0xcc, 0xaa, 0xc0, 0x2b, 0xc0, 0x2f, 0x00, 0x9e,
134  0xc0, 0x24, 0xc0, 0x28, 0x00, 0x6b, 0xc0, 0x23,
135  0xc0, 0x27, 0x00, 0x67, 0xc0, 0x0a, 0xc0, 0x14,
136  0x00, 0x39, 0xc0, 0x09, 0xc0, 0x13, 0x00, 0x33,
137  0x00, 0xff, 0x01, 0x00, 0x00, 0x8d, 0x00, 0x0b,
138  0x00, 0x04, 0x03, 0x00, 0x01, 0x02, 0x00, 0x0a,
139  0x00, 0x0c, 0x00, 0x0a, 0x00, 0x1d, 0x00, 0x17,
140  0x00, 0x1e, 0x00, 0x19, 0x00, 0x18, 0x00, 0x16,
141  0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x0d,
142  0x00, 0x30, 0x00, 0x2e, 0x04, 0x03, 0x05, 0x03,
143  0x06, 0x03, 0x08, 0x07, 0x08, 0x08, 0x08, 0x09,
144  0x08, 0x0a, 0x08, 0x0b, 0x08, 0x04, 0x08, 0x05,
145  0x08, 0x06, 0x04, 0x01, 0x05, 0x01, 0x06, 0x01,
146  0x03, 0x03, 0x02, 0x03, 0x03, 0x01, 0x02, 0x01,
147  0x03, 0x02, 0x02, 0x02, 0x04, 0x02, 0x05, 0x02,
148  0x06, 0x02, 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03,
149  0x04, 0x03, 0x03, 0x00, 0x2d, 0x00, 0x02, 0x01,
150  0x01, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00,
151  0x1d, 0x00, 0x20, 0x0e, 0xc9, 0x7a, 0xff, 0x58,
152  0xdb, 0x56, 0xf6, 0x40, 0xd1, 0xed, 0xdb, 0x91,
153  0x81, 0xd6, 0xef, 0x83, 0x86, 0x8a, 0xb2, 0x3d,
154  0x88, 0x92, 0x3f, 0xd8, 0x51, 0x9c, 0xd6, 0x26,
155  0x56, 0x33, 0x6b
156 };
157 
158 /* This is a truncated packet as we do not care for the TLS payload in the
159  * unit test */
160 const uint8_t client_control_with_ack[] = {
161  0x20, 0x78, 0x19, 0xbf, 0x2e, 0xbc, 0xd1, 0x9a,
162  0x45, 0x01, 0x00, 0x00, 0x00, 0x00, 0xea,
163  0xfe, 0xbf, 0xa4, 0x41, 0x8a, 0xe3, 0x1b,
164  0x00, 0x00, 0x00, 0x01, 0x16, 0x03, 0x01
165 };
166 
167 const uint8_t client_ack_none_random_id[] = {
168  0x28, 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79,
169  0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0xdd,
170  0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e
171 };
172 
173 struct tls_auth_standalone
174 init_tas_auth(int key_direction)
175 {
176  struct tls_auth_standalone tas = { 0 };
177  struct frame frame = { {.headroom = 200, .payload_size = 1400}, 0};
178  tas.frame = frame;
179 
180  tas.tls_wrap.mode = TLS_WRAP_AUTH;
181  /* we ignore packet ids on for the first packet check */
183 
184  struct key_type tls_crypt_kt;
185  init_key_type(&tls_crypt_kt, "none", "SHA1", true, false);
186 
188  static_key, true, key_direction,
189  "Control Channel Authentication", "tls-auth",
190  NULL);
191  tas.workbuf = alloc_buf(1600);
192 
193  return tas;
194 }
195 
196 struct tls_auth_standalone
197 init_tas_crypt(bool server)
198 {
199  struct tls_auth_standalone tas = { 0 };
200  tas.tls_wrap.mode = TLS_WRAP_CRYPT;
202 
205  true, server);
206  tas.workbuf = alloc_buf(1600);
207  tas.tls_wrap.work = alloc_buf(1600);
208 
209  return tas;
210 }
211 
212 void
214 {
215  /* Not some of these might be null pointers but calling free on null
216  * pointers is a noop */
218  free_buf(&tas->workbuf);
219  free_buf(&tas->tls_wrap.work);
220 }
221 
222 void
224 {
225  struct link_socket_actual from = { 0 };
226  struct tls_pre_decrypt_state state = { 0 };
227 
228  struct tls_auth_standalone tas = init_tas_crypt(true);
229  struct buffer buf = alloc_buf(1024);
230 
231  /* tls-auth should be invalid */
233  enum first_packet_verdict verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
234  assert_int_equal(verdict, VERDICT_INVALID);
236 
237  /* as well as the too short normal reset */
238  buf_reset_len(&buf);
240  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
241  assert_int_equal(verdict, VERDICT_INVALID);
243 
244  /* the tls-crypt should validate */
245  buf_reset_len(&buf);
247  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
248  assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
250 
251  /* flip a byte in various places */
252  for (int i = 0; i<sizeof(client_reset_v2_tls_crypt); i++)
253  {
254  buf_reset_len(&buf);
256  BPTR(&buf)[i] = 0x23;
257  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
258  assert_int_equal(verdict, VERDICT_INVALID);
260  }
261 
263  free_tas(&tas);
264  free_buf(&buf);
265 }
266 
267 
268 void
270 {
271  struct link_socket_actual from = { 0 };
272  struct tls_auth_standalone tas = { 0 };
273  struct tls_pre_decrypt_state state = { 0 };
274  enum first_packet_verdict verdict;
275 
276  struct buffer buf = alloc_buf(1024);
278 
279  /* Packet to short to contain the hmac */
281 
282  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
283  assert_int_equal(verdict, VERDICT_INVALID);
285 
286  /* Valid tls-auth packet, should validate */
287  buf_reset_len(&buf);
289  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
290  assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
292 
294  /* The pre decrypt function should not modify the buffer, so calling it
295  * again should have the same result */
296  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
297  assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
299 
300  /* and buf memory should be equal */
301  assert_memory_equal(BPTR(&buf), client_reset_v2_tls_auth, sizeof(client_reset_v2_tls_auth));
303 
304  buf_reset_len(&buf);
306  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
307  assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1);
309 
310  /* flip a byte in the hmac */
311  BPTR(&buf)[20] = 0x23;
312  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
313  assert_int_equal(verdict, VERDICT_INVALID);
315 
317  /* Wrong key direction gives a wrong hmac key and should not validate */
319  free_tas(&tas);
321 
322  buf_reset_len(&buf);
324  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
325  assert_int_equal(verdict, VERDICT_INVALID);
326 
328  free_tas(&tas);
329  free_buf(&buf);
330 }
331 
332 void
334 {
335  struct link_socket_actual from = { 0 };
336  struct tls_auth_standalone tas = { 0 };
337  struct tls_pre_decrypt_state state = { 0 };
338 
339  struct buffer buf = alloc_buf(1024);
341 
342  tas.tls_wrap.mode = TLS_WRAP_NONE;
343 
344  /* the method will not do additional test, so the tls-auth and tls-crypt
345  * reset will be accepted */
346  enum first_packet_verdict verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
347  assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
349 
350  buf_reset_len(&buf);
352  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
353  assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
355 
357  buf_reset_len(&buf);
359  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
360  assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
362 
364 
365  /* This is not a reset packet and should trigger the other response */
366  buf_reset_len(&buf);
368  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
369  assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1);
370 
372  free_buf(&buf);
373  free_tas(&tas);
374 }
375 
376 static void
377 test_parse_ack(void **ut_state)
378 {
379  struct buffer buf = alloc_buf(1024);
381 
382  /* skip over op code and peer session id */
383  buf_advance(&buf, 9);
384 
385  struct reliable_ack ack;
386  struct session_id sid;
387  bool ret;
388 
389  ret = reliable_ack_parse(&buf, &ack, &sid);
390  assert_true(ret);
391 
392  assert_int_equal(ack.len, 1);
393  assert_int_equal(ack.packet_id[0], 0);
394 
395  struct session_id expected_id = { .id = {0xea, 0xfe, 0xbf, 0xa4, 0x41, 0x8a, 0xe3, 0x1b }};
396  assert_memory_equal(&sid, &expected_id, SID_SIZE);
397 
398  buf_reset_len(&buf);
400 
401  /* skip over op code and peer session id */
402  buf_advance(&buf, 9);
403  ret = reliable_ack_parse(&buf, &ack, &sid);
404  assert_true(ret);
405 
406  assert_int_equal(ack.len, 1);
407  assert_int_equal(ack.packet_id[0], 0);
408 
409  struct session_id expected_id2 = { .id = {0xdd, 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e }};
410  assert_memory_equal(&sid, &expected_id2, SID_SIZE);
411 
412  buf_reset_len(&buf);
414 
415  /* skip over op code and peer session id */
416  buf_advance(&buf, 9);
417  ret = reliable_ack_parse(&buf, &ack, &sid);
418 
419  free_buf(&buf);
420 }
421 
422 static void
424 {
426 
427  struct link_socket_actual from = { 0 };
428  struct tls_auth_standalone tas = { 0 };
429  struct tls_pre_decrypt_state state = { 0 };
430 
431  struct buffer buf = alloc_buf(1024);
432  enum first_packet_verdict verdict;
433 
435 
436  buf_reset_len(&buf);
438  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
439  assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1);
440 
441  /* This is a valid packet but containing a random id instead of an HMAC id*/
442  bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30);
443  assert_false(valid);
444 
446  free_buf(&buf);
447  free_tas(&tas);
448  hmac_ctx_cleanup(hmac);
449  hmac_ctx_free(hmac);
450 }
451 
452 static void
453 test_verify_hmac_none(void **ut_state)
454 {
456 
457  struct link_socket_actual from = { 0 };
458  from.dest.addr.sa.sa_family = AF_INET;
459 
460  struct tls_auth_standalone tas = { 0 };
461  struct tls_pre_decrypt_state state = { 0 };
462 
463  struct buffer buf = alloc_buf(1024);
464  enum first_packet_verdict verdict;
465 
466  tas.tls_wrap.mode = TLS_WRAP_NONE;
467 
468  buf_reset_len(&buf);
470  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
471  assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
472 
473  bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30);
474  assert_true(valid);
475 
477  free_buf(&buf);
478  hmac_ctx_cleanup(hmac);
479  hmac_ctx_free(hmac);
480 }
481 
482 static hmac_ctx_t *
484 {
485  ASSERT(md_valid("SHA256"));
486  hmac_ctx_t *hmac_ctx = hmac_ctx_new();
487 
488  uint8_t key[SHA256_DIGEST_LENGTH] = {1, 2, 3, 0};
489 
490  hmac_ctx_init(hmac_ctx, key, "SHA256");
491  return hmac_ctx;
492 }
493 
494 static void
496 {
497  hmac_ctx_t *hmac = init_static_hmac();
498  static const int handwindow = 100;
499 
500  struct openvpn_sockaddr addr = { 0 };
501 
502  addr.addr.in4.sin_family = AF_INET;
503  addr.addr.in4.sin_addr.s_addr = ntohl(0xff000ff);
504  addr.addr.in4.sin_port = ntohs(1195);
505 
506  struct session_id client_id = { {0, 1, 2, 3, 4, 5, 6, 7}};
507 
508  now = 1005;
509  struct session_id server_id = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 0);
510 
511 
512  struct session_id expected_server_id = {{0x84, 0x73, 0x52, 0x2b, 0x5b, 0xa9, 0x2a, 0x70}};
513  /* We have to deal with different structs here annoyingly */
514  /* Linux has an unsigned short int as family_t and this is field is always
515  * stored in host endianness even though the rest of the struct isn't...,
516  * so Linux little endian differs from all BSD and Linux big endian */
517  if (sizeof(addr.addr.in4.sin_family) == sizeof(unsigned short int)
518  && ntohs(AF_INET) != AF_INET)
519  {
520  struct session_id linuxle = {{0x8b, 0xeb, 0x3d, 0x20, 0x14, 0x53, 0xbe, 0x0a }};
521  expected_server_id = linuxle;
522  }
523  assert_memory_equal(expected_server_id.id, server_id.id, SID_SIZE);
524 
525  struct session_id server_id_m1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -1);
526  struct session_id server_id_p1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 1);
527  struct session_id server_id_p2 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 2);
528 
529  assert_memory_not_equal(expected_server_id.id, server_id_m1.id, SID_SIZE);
530  assert_memory_not_equal(expected_server_id.id, server_id_p1.id, SID_SIZE);
531 
532  /* changing the time puts us into the next hmac time window (handwindow/2=50)
533  * and shifts the ids by one */
534  now = 1062;
535 
536  struct session_id server_id2_m2 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -2);
537  struct session_id server_id2_m1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, -1);
538  struct session_id server_id2 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 0);
539  struct session_id server_id2_p1 = calculate_session_id_hmac(client_id, &addr, hmac, handwindow, 1);
540 
541  assert_memory_equal(server_id2_m2.id, server_id_m1.id, SID_SIZE);
542  assert_memory_equal(server_id2_m1.id, expected_server_id.id, SID_SIZE);
543  assert_memory_equal(server_id2.id, server_id_p1.id, SID_SIZE);
544  assert_memory_equal(server_id2_p1.id, server_id_p2.id, SID_SIZE);
545 
546  hmac_ctx_cleanup(hmac);
547  hmac_ctx_free(hmac);
548 }
549 
550 static void
552 {
553  struct link_socket_actual from = { 0 };
554  struct tls_auth_standalone tas = { 0 };
555  struct tls_pre_decrypt_state state = { 0 };
556 
557  struct session_id client_id = {{0, 1, 2, 3, 4, 5, 6, 7}};
558  struct session_id server_id = {{8, 9, 0, 9, 8, 7, 6, 2}};
559 
560  enum first_packet_verdict verdict;
561 
562  tas.tls_wrap.mode = TLS_WRAP_NONE;
563  struct frame frame = { {.headroom = 200, .payload_size = 1400}, 0};
564  tas.frame = frame;
565  tas.workbuf = alloc_buf(1600);
566 
567  uint8_t header = 0 | (P_CONTROL_HARD_RESET_CLIENT_V2 << P_OPCODE_SHIFT);
568 
569  struct buffer buf = tls_reset_standalone(&tas.tls_wrap, &tas, &client_id, &server_id, header, false);
570 
571 
572  verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
573  assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
574 
575  /* Assure repeated generation of reset is deterministic/stateless*/
576  assert_memory_equal(state.peer_session_id.id, client_id.id, SID_SIZE);
577  struct buffer buf2 = tls_reset_standalone(&tas.tls_wrap, &tas, &client_id, &server_id, header, false);
578  assert_int_equal(BLEN(&buf), BLEN(&buf2));
579  assert_memory_equal(BPTR(&buf), BPTR(&buf2), BLEN(&buf));
580 
582  free_buf(&tas.workbuf);
583 }
584 
585 static void
587 {
588  struct link_socket_actual from = { 0 };
589  struct tls_pre_decrypt_state state = { 0 };
590 
593 
594  packet_id_init(&tas_client.tls_wrap.opt.packet_id, 5, 5, "UNITTEST", 0);
595 
596  struct session_id client_id = {{0xab, 1, 2, 3, 4, 5, 6, 0xcd}};
597  struct session_id server_id = {{8, 9, 0xa, 0xc, 8, 7, 6, 2}};
598 
599  uint8_t header = 0 | (P_CONTROL_HARD_RESET_CLIENT_V2 << P_OPCODE_SHIFT);
600 
601  now = 0x22446688;
603  struct buffer buf = tls_reset_standalone(&tas_client.tls_wrap, &tas_client, &client_id, &server_id, header, false);
604 
605  enum first_packet_verdict verdict = tls_pre_decrypt_lite(&tas_server, &state, &from, &buf);
606  assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
607 
608  assert_memory_equal(state.peer_session_id.id, client_id.id, SID_SIZE);
609 
610  /* Assure repeated generation of reset is deterministic/stateless*/
612  struct buffer buf2 = tls_reset_standalone(&tas_client.tls_wrap, &tas_client, &client_id, &server_id, header, false);
613  assert_int_equal(BLEN(&buf), BLEN(&buf2));
614  assert_memory_equal(BPTR(&buf), BPTR(&buf2), BLEN(&buf));
615 
617 
618  packet_id_free(&tas_client.tls_wrap.opt.packet_id);
619 
620  free_tas(&tas_client);
621  free_tas(&tas_server);
622 }
623 
624 static void
626 {
627  struct gc_arena gc = gc_new();
628  struct buffer input_buf = alloc_buf_gc(1024, &gc);
629 
630  /* This message will have a \0x00 at the end since it is a C string */
631  const char input[] = "valid control message\r\n\0\0Invalid\r\none\0valid one again";
632 
633  buf_write(&input_buf, input, sizeof(input));
634  struct buffer cmd1 = extract_command_buffer(&input_buf, &gc);
635  struct buffer cmd2 = extract_command_buffer(&input_buf, &gc);
636  struct buffer cmd3 = extract_command_buffer(&input_buf, &gc);
637  struct buffer cmd4 = extract_command_buffer(&input_buf, &gc);
638  struct buffer cmd5 = extract_command_buffer(&input_buf, &gc);
639 
640  assert_string_equal(BSTR(&cmd1), "valid control message");
641  /* empty message with just a \0x00 */
642  assert_int_equal(cmd2.len, 1);
643  assert_string_equal(BSTR(&cmd2), "");
644  assert_int_equal(cmd3.len, 0);
645  assert_string_equal(BSTR(&cmd4), "valid one again");
646  assert_int_equal(cmd5.len, 0);
647 
648  const uint8_t nonull[6] = { 'n', 'o', ' ', 'N', 'U', 'L'};
649  struct buffer nonull_buf = alloc_buf_gc(1024, &gc);
650 
651  buf_write(&nonull_buf, nonull, sizeof(nonull));
652  struct buffer nonullcmd = extract_command_buffer(&nonull_buf, &gc);
653  assert_int_equal(nonullcmd.len, 0);
654 
655  gc_free(&gc);
656 }
657 
658 int
659 main(void)
660 {
662  const struct CMUnitTest tests[] = {
663  cmocka_unit_test(test_tls_decrypt_lite_none),
664  cmocka_unit_test(test_tls_decrypt_lite_auth),
665  cmocka_unit_test(test_tls_decrypt_lite_crypt),
666  cmocka_unit_test(test_parse_ack),
667  cmocka_unit_test(test_calc_session_id_hmac_static),
668  cmocka_unit_test(test_verify_hmac_none),
669  cmocka_unit_test(test_verify_hmac_tls_auth),
670  cmocka_unit_test(test_generate_reset_packet_plain),
671  cmocka_unit_test(test_generate_reset_packet_tls_auth),
672  cmocka_unit_test(test_extract_control_message)
673  };
674 
675 #if defined(ENABLE_CRYPTO_OPENSSL)
676  OpenSSL_add_all_algorithms();
677 #endif
678 
679  int ret = cmocka_run_group_tests_name("pkt tests", tests, NULL, NULL);
680 
681 #if defined(ENABLE_CRYPTO_OPENSSL)
682  EVP_cleanup();
683 #endif
684 
685  return ret;
686 }
VERDICT_VALID_RESET_V2
@ VERDICT_VALID_RESET_V2
This packet is a valid reset packet from the peer (all but tls-crypt-v2)
Definition: ssl_pkt.h:87
hmac_ctx_cleanup
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: test_pkt.c:67
ssl_backend.h
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition: ssl_common.h:290
VERDICT_INVALID
@ VERDICT_INVALID
the packet failed on of the various checks
Definition: ssl_pkt.h:98
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1025
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition: crypto_mbedtls.h:48
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:96
extract_command_buffer
struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc)
Extracts a control channel message from buf and adjusts the size of buf after the message has been ex...
Definition: ssl_pkt.c:562
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl_pkt.h:52
KEY_DIRECTION_NORMAL
#define KEY_DIRECTION_NORMAL
Definition: crypto.h:231
client_ack_none_random_id
const uint8_t client_ack_none_random_id[]
Definition: test_pkt.c:167
test_common.h
first_packet_verdict
first_packet_verdict
Definition: ssl_pkt.h:85
BSTR
#define BSTR(buf)
Definition: buffer.h:129
tls_reset_standalone
struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc)
This function creates a reset packet using the information from the tls pre decrypt state.
Definition: ssl_pkt.c:428
tls_pre_decrypt_lite
enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl_pkt.c:307
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
client_control_with_ack
const uint8_t client_control_with_ack[]
Definition: test_pkt.c:160
test_calc_session_id_hmac_static
static void test_calc_session_id_hmac_static(void **ut_state)
Definition: test_pkt.c:495
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition: ssl_pkt.c:473
VERDICT_VALID_CONTROL_V1
@ VERDICT_VALID_CONTROL_V1
This packet is a valid control packet from the peer.
Definition: ssl_pkt.h:91
free_tls_pre_decrypt_state
void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state)
Definition: ssl_pkt.c:285
client_reset_v2_tls_auth
const uint8_t client_reset_v2_tls_auth[]
Definition: test_pkt.c:97
KEY_DIRECTION_INVERSE
#define KEY_DIRECTION_INVERSE
Definition: crypto.h:232
openvpn_sockaddr
Definition: socket.h:65
reliable_ack_parse
bool reliable_ack_parse(struct buffer *buf, struct reliable_ack *ack, struct session_id *session_id_remote)
Parse an acknowledgment record from a received packet.
Definition: reliable.c:173
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition: ssl_pkt.h:40
options.h
tls_crypt.h
tls_auth_standalone::workbuf
struct buffer workbuf
Definition: ssl_pkt.h:81
frame
Packet geometry parameters.
Definition: mtu.h:98
test_verify_hmac_none
static void test_verify_hmac_none(void **ut_state)
Definition: test_pkt.c:453
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition: crypto.c:1321
buf_reset_len
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:312
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
init_tas_crypt
struct tls_auth_standalone init_tas_crypt(bool server)
Definition: test_pkt.c:197
session_id
Definition: session_id.h:38
reliable_ack::len
int len
Definition: reliable.h:63
tls_auth_standalone::frame
struct frame frame
Definition: ssl_pkt.h:82
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:1125
tls_wrap_ctx::mode
enum tls_wrap_ctx::@23 mode
Control channel wrapping mode.
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:274
reliable.h
ASSERT
#define ASSERT(x)
Definition: error.h:195
client_reset_v2_none
const uint8_t client_reset_v2_none[]
Definition: test_pkt.c:93
tls_pre_decrypt_state::peer_session_id
struct session_id peer_session_id
Definition: ssl_pkt.h:108
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:618
tls_crypt_kt
static struct key_type tls_crypt_kt(void)
Definition: tls_crypt.c:49
reset_packet_id_send
static void reset_packet_id_send(struct packet_id_send *p)
Reset the current send packet id to its initial state.
Definition: packet_id.h:307
openvpn_sockaddr::sa
struct sockaddr sa
Definition: socket.h:69
BLEN
#define BLEN(buf)
Definition: buffer.h:127
test_tls_decrypt_lite_none
void test_tls_decrypt_lite_none(void **ut_state)
Definition: test_pkt.c:333
SID_SIZE
#define SID_SIZE
Definition: session_id.h:45
openvpn_sockaddr::in4
struct sockaddr_in in4
Definition: socket.h:70
free_tas
void free_tas(struct tls_auth_standalone *tas)
Definition: test_pkt.c:213
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:275
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition: ssl_pkt.h:105
main
int main(void)
Definition: test_pkt.c:659
crypto.h
parse_line
int parse_line(const char *line, char **p, const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: test_pkt.c:48
test_tls_decrypt_lite_auth
void test_tls_decrypt_lite_auth(void **ut_state)
Definition: test_pkt.c:269
static_key
const char static_key[]
Definition: test_pkt.c:72
init_tas_auth
struct tls_auth_standalone init_tas_auth(int key_direction)
Definition: test_pkt.c:174
reliable_ack::packet_id
packet_id_type packet_id[RELIABLE_ACK_SIZE]
Definition: reliable.h:64
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:61
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
test_generate_reset_packet_tls_auth
static void test_generate_reset_packet_tls_auth(void **ut_state)
Definition: test_pkt.c:586
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: test_pkt.c:59
calculate_session_id_hmac
struct session_id calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, int offset)
Calculates the HMAC based server session id based on a client session id and socket addr.
Definition: ssl_pkt.c:487
hmac_ctx_free
void hmac_ctx_free(hmac_ctx_t *ctx)
key_type
Definition: crypto.h:140
test_generate_reset_packet_plain
static void test_generate_reset_packet_plain(void **ut_state)
Definition: test_pkt.c:551
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition: buffer.h:668
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:479
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
session_id::id
uint8_t id[8]
Definition: session_id.h:40
test_extract_control_message
static void test_extract_control_message(void **ut_state)
Definition: test_pkt.c:625
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
openvpn_unit_test_setup
static void openvpn_unit_test_setup(void)
Sets up the environment for unit tests like making both stderr and stdout non-buffered to avoid messa...
Definition: test_common.h:36
test_tls_decrypt_lite_crypt
void test_tls_decrypt_lite_crypt(void **ut_state)
Definition: test_pkt.c:223
test_verify_hmac_tls_auth
static void test_verify_hmac_tls_auth(void **ut_state)
Definition: test_pkt.c:423
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition: ssl_pkt.h:80
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
init_static_hmac
static hmac_ctx_t * init_static_hmac(void)
Definition: test_pkt.c:483
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition: crypto_mbedtls.h:79
ssl_pkt.h
packet_id::send
struct packet_id_send send
Definition: packet_id.h:201
client_reset_v2_tls_crypt
const uint8_t client_reset_v2_tls_crypt[]
Definition: test_pkt.c:105
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition: crypto.h:344
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1033
mss.h
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:293
test_parse_ack
static void test_parse_ack(void **ut_state)
Definition: test_pkt.c:377
now
time_t now
Definition: otime.c:34
check_session_id_hmac
bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow)
Checks if a control packet has a correct HMAC server session id.
Definition: ssl_pkt.c:529
config.h
hmac_ctx_new
hmac_ctx_t * hmac_ctx_new(void)
Definition: crypto_openssl.c:1187
CO_IGNORE_PACKET_ID
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:347
hmac_ctx_init
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, const char *mdname)
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:893
session
Definition: keyingmaterialexporter.c:56
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition: crypto_openssl.c:1039
client_ack_tls_auth_randomid
const uint8_t client_ack_tls_auth_randomid[]
Definition: test_pkt.c:115
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:330
VERDICT_VALID_ACK_V1
@ VERDICT_VALID_ACK_V1
This packet is a valid ACK control packet from the peer, i.e.
Definition: ssl_pkt.h:94
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:383
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
packet_id_free
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:127
reliable_ack
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:61
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition: mtu.h:108
openvpn_sockaddr::addr
union openvpn_sockaddr::@20 addr
gc
struct gc_arena gc
Definition: test_ssl.c:155
tls_auth_standalone
Definition: ssl_pkt.h:78